summit 
or? 

n"

 

DEPARTMENT OF HEALTH 8; HUMAN SERVICES OFFICE OF THE SECRETARY
Voice- [404} 562-7886. 358-1019 Of?ce for Civil Rights, Region 
in? TDD- (404} 5523834. [300) l5] Street, 5. W.
- {404} 5523351 Atlanta Federal Center, Suite JBTH
h?pifW- hhS-s?w?ocr? Atlanta, GA stuns-sans

August 2011

 



 

 

 

Ms. Andrea Wilson, RHIA, CIPP, 

Privacy Implementation Coordinator

VHA Information Access and Privacy Office 
Department of Veteran?s Affairs

810 Vermont Ave NW

Washington, DC 20420

 

Re: iv. Lake City VA Medical Center
Reference number: 1 1-127508

Dear {blimiblmm and Ms.Wilson:

On 0302/20] 1, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of
Individually Identi?able Health Information andx?or the Security Standards for the Protection of
Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the

 

 

 

Privac and Security Rules). Speci?cally, IComplainant, states that {blt?ttbl
PN, impermissibly accessed her medical records while working for the Lake City VA
Medical Center. According to accessed her medical records on several

 

 

 

occasions from October to November 201 1. These allegations could re?ect violations of 45
C.F.R. l64.530(c) and respectively.

The Privacy Rule states that a covered entity may not use or disclose protected health
information except as permitted or required by the Privacy Rule. See 45 C.F.R 164.502 
The Privacy Rule also mandates that a covered entity must have in place appropriate
administrative, technical and physical safeguards to protect the privacy of protected health
information. See 45 C.F.R. The Privacy Rule also mandates that a covered
entity must identify those classes of individuals who needed access to PHI in order to perform
their daily duties. See 45 CPR.